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Abstract 

A workflow specification defines a set of steps and the order in which those steps must be 
executed. Security requirements and business rules may impose constraints on which users 
are permitted to perform those steps. A workflow specification is said to be satisfiable if there 
exists an assignment of authorized users to workflow steps that satisfies all the constraints. 
An algorithm for determining whether such an assignment exists is important, both as a 
static analysis tool for workflow specifications, and for the construction of run-time reference 
monitors for workflow management systems. We develop new methods for determining 
workflow satisfiability based on the concept of constraint expressions, which were introduced 
recently by Khan and Fong. These methods are surprising versatile, enabling us to develop 
algorithms for, and determine the complexity of, a number of different problems related to 
workflow satisfiability. 

1 Introduction 

It is increasingly common for organizations to computerize their business and management pro- 
cesses. The co-ordination of the tasks or steps that comprise a computerized business process is 
managed by a workflow management system (or business process management system). Typi- 
cally, the execution of these steps will be triggered by a human user, or a software agent acting 
under the control of a human user, and the execution of each step will be restricted to some set 
of authorized users. 

A workflow is defined by the steps that comprise a business process and the order in which 
those steps should be performed. Moreover, it is often the case that some form of access control, 
often role-based, should be applied to limit the execution of steps to authorized users. In addition, 
many workflows require controls on the users that perform groups of steps. The concept of a 
Chinese wall, for example, limits the set of steps that any one user can perform [5], as does 
separation-of-duty, which is a central part of the role-based access control model [T]. Hence, 
it is important that workflow management systems implement security controls that enforce 
authorization rules and business rules, in order to comply with statutory requirements or best 
practice [6] . It is these "security-aware" workflows that will be the focus of the remainder of this 
paper. 

A simple, illustrative example for purchase order processing |10j is shown in Figure [TJ In the 
first step of the workflow, the purchase order is created and approved (and then dispatched to 
the supplier). The supplier will submit an invoice for the goods ordered, which is processed by 
the create payment step. When the supplier delivers the goods, a goods received note (GRN) 
must be signed and countersigned. Only then may the payment be approved and sent to the 
supplier. Note that a workflow specification need not be linear: the processing of the GRN and 
of the invoice can occur in parallel, for example. 
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In addition to denning the order in which steps must be performed, the workflow specification 
includes rules to prevent fraudulent use of the purchase order processing system. In our example, 
these rules restrict the users that can perform pairs of steps in the workflow: the same user may 
not sign and countersign the GRN, for example. 
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Figure 1: A simple constrained workflow for purchase order processing 

It is apparent that it may be impossible to find an assignment of authorized users to workflow 
steps such that all constraints are satisfied. In this case, we say that the workflow specification 
is unsatisfiable. The Workflow Satisfiability Problem (WSP) is known to be NP-hard, 
even when the set of constraints only includes constraints that have a relatively simple structure 
(and that would arise regularly in practice) 

The rules described above can be encoded using constraints [10], the rules being enforced 
if and only if the constraints are satisfied. More complex constraints, in which restrictions are 
placed on the users who execute sets of steps can also be defined [3J [T^l [H] , can encode more 
complex business requirements. (We describe these constraints in more detail in Section [2. 11 ) A 
considerable body of work now exists on the satisfiability of workflow specifications that include 
such constraints [6l [12j [21] . 

In this paper, we use constraint expressions to solve WSP. Constraint expressions were 
introduced by Khan and Fong in their work on workflow feasibility [16] . However, the potential 
of constraint expressions was not fully realized. In this paper, we show how constraint expressions 
can be used to solve WSP and a number of related problems. 

We also introduce a set of operators for combining workflows. This allows us to model 
workflows in which the execution of steps is determined at execution time, which we will call 
conditional workflows. Our model enables us to formulate the satisfiability problem for condi- 
tional workflows, which we solve using constraint expressions. To our knowledge, these are the 
first results on conditional workflows. 

The main contributions of this paper are: 

In particular, the Graph fc-COLOR ability problem can be reduced to a special case of WSP in which the 
workflow specification only includes separation-of-duty constraints 1211 . 
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• to generalize the results of Wang and Li on the fixed parameter tractability of WSP 
(Section [3]); 

• to introduce a language for workflow composition (Section 2]) ; 

• to establish new results on the satisfiability of conditional workflows (Section 0]); 

• to demonstrate how a problem studied by Armando et at [3J and a problem introduced by 
Crampton [TU] can be solved using constraint expressions (Section [SJ . 

In the next section we provide relevant background material. In Section [3H51 we describe our 
results. The proofs of our results can be found in the appendix, with the exception of the proof 
of Theorem [5] We conclude with a summary of our contributions, a discussion of related work, 
and our plans for future work. 

2 Background 

In this section, we introduce our notation and definitions, derived from earlier work [101121] . and 
then define the workflow satisfiability problem. In order to make the paper self-contained, we 
also provide a short overview of parameterized complexity and summarize a number of useful 
results from the literature. 

2.1 The Workflow Satisfiability Problem 

A directed acyclic graph G — (V, E) is defined by a set of nodes V and a set of edges E C V x V. 
The reflexive, transitive closure of a directed acyclic graph defines a partial order, where v ^ w 
if and only if there is a path from v to w in G. If (V, ^) is a partially ordered set, then we write 
v || w if v and w are incomparable; that is, v ^ w and w ^ v. We may write v ^ w whenever 
w ^ v . We may also write v < w whenever v ^ w and v ^ w. Finally, we will write [n] to denote 

{i "!• 

Definition 1. A workflow specification is defined by a directed, acyclic graph G — (S,E), where 
S is a set of steps and E C S x S . Given a workflow specification (S, E) and a set of users 
U , an authorization policy for a workflow specification is a relation A C S x U . A workflow 
authorization schema is a tuple (G, U, A), where G — (S*, E) is a workflow specification and A is 
an authorization policy. 

We will use the representations of a workflow specification as a partial order and a DAG 
interchangeably. The workflow specification describes a sequence of steps and the order in which 
they must be performed when the workflow is executed, each such execution being called a 
workflow instance. If s < s' then s must be performed before s' in every instance of the workflow; 
if s || s' then s and s' may be performed in either order. User u is authorized to perform step s 
only if (s, u) € A^ We assume that for every step s € S there exists some user u G U such that 
(s,u) e A. 

2 In practice, the set of authorized step-user pairs, A, will not be defined explicitly. Instead, A will be inferred 
from other access control data structures. In particular, R 2 BAC — the role-and-relation-based access control 
model of Wang and Li 12 1 1 — introduces a set of roles R, a user-role relation UR C U X R and a role-step relation 
SA C R x S from which it is possible to derive the steps for which users are authorized. For all common access 
control policies (including R 2 BAC), it is straightforward to derive A. We prefer to use A in order to simplify the 
exposition. 
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Definition 2. Let ((S,E),U,A) be a workflow authorization schema. A plan is a function 
tt : S — > U. A plan tt is authorized for ((£>, E), U, A) if (s, tt(s)) G A for all s G S. 

Definition 3. A workflow constraint has the form (p, Si, S2), where Si, S2 C 5 and p C.U x U . 
A constrained workflow authorization schema is a tuple ((S, E),U, A,C), where C is a set of 
workflow constraints. 

Definition 4. A plan tt : S — > U satisfies a workflow constraint (p, Si, S2) if there exist si G Si 
and S2 G S2 such that (tt(si), tt(s2)) G p. Given a constrained workflow authorization schema 
((S, E), U, A, C), a plan tt is valid if it is authorized and it satisfies all constraints in C . 

We write A C U x U to denote the diagonal relation {(it, u) : u G U} and A c to denote its 
complement {(u,u) : (u,u) g" A}. Thus, the constraint on steps si and S2 in Figure [T] would be 
written as (A c , {si} , {52})- 

We may now define the workflow satisfiability problem, as defined by Wang and Li |21j . 

Workflow Satisfiability Problem (WSP) 

Input: A constrained workflow authorization schema ((S, E), U, A, C) 
Output: A valid plan tt : S — > U or an answer that there exists no valid plan 

We now discuss constraints in more detail, including the type of business rules we can encode 
using our constraints and compare them to constraints in the literature. Our definition of work- 
flow constraint is more general than similar definitions used when studying WSP. Crampton 
defined constraints in which Si and S2 are singleton sets: we will refer to constraints of this form 
as Type 1 constraints; for brevity we will write (p, si, S2) for the Type 1 constraint (p, {si} , {82})- 
Wang and Li defined constraints in which at least one of Si and S2 is a singleton set: we will 
refer to constraints of this form as Type 2 constraints and we will write (p, si, S2) in preference to 
(p, {si} ,52). Constraints in which Si and S2 are arbitrary sets will be called Type 3 constraints. 

We say that two constraints 7 and 7' are equivalent if a plan tt satisfies 7 if and only if it 
satisfies 7'. The Type 2 constraint (p, si,^) is equivalent to (p,S2,si) if p is symmetric, in 
which case we will write (p, Si, S2) in preference to (p, S2, Si). 

It is worth pointing out that Type 1 constraints can express requirements of the form described 
in Sectionjl] where we wish to restrict the combinations of users that perform pairs of steps. The 
plan 7r satisfies constraint (A, s, s'), for example, if the same user is assigned to both steps by tt, 
and satisfies constraint (A c , s, s') if different users are assigned to s and s' . In other words, these 
represent, respectively, binding-of-duty and separation-of-duty constraints. Abusing notation in 
the interests of readability, we will replace A and A c by = and 7^, respectively. 

Type 2 constraints provide greater flexibility, although Wang and Li, who introduced these 
constraints, do not provide a use case for which such a constraint would be needed. However, 
there are forms of separation-of-duty requirements that are most naturally encoded using Type 
3 constraints. Consider, for example, the requirement that a set of steps S' C S must not all 
be performed by the same user [2]. We may encode this as the constraint (^,S',S'), which is 
satisfied by a plan tt only if there exists two steps in S' that are allocated to different users by tt. 

Henceforth, we will write WSP(pi, . . . , pt) to denote a special case of WSP in which all 
constraints have the form (pj, S', S") for some pi G {pi, . . . ,p t } and for some S', S" C S. Wc 
will write WSPj(pi, ■ ■ ■ , Pt) to denote a special case of WSP(pi, . . . , pi), in which there are no 
constraints of Type j for j > i. Thus, WSPi(=, 7^), for example, indicates an instance of WSP 
in which all constraints have the form (=, si, S2) or si, S2) for some Si, S2 G S. 

We will write c, n and k to denote the number of constraints, users and steps, respectively, 
in an instance of WSP. We will analyze the complexity of the workflow satisfiability problem in 
terms of these parameters. 
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Note that definition of WSP given above does not make any reference to the ordering on the 
set of steps. The original definition, as formulated by Crampton [10] . included constraints that 
were sensitive to the order in which steps were executed. If s || s', we may define two different 
constraints (p, s, s') and (p 1 , s', s), the first of which must be satisfied if s is performed before s' , 
while the second must be satisfied if s' is performed before s. To facilitate direct comparison with 
the work of Wang and Li on WSP, we defer the analysis of Crampton's version of the problem 
until Section [5j 

2.2 Applications of WSP 

There are a number of different execution models for workflow systems. In some systems, a 
tasklist is created when a workflow is instantiated. The tasklist is simply a valid plan for the 
worfklow instance, allocating users to specific steps in the workflow instance. In other systems, 
the workflow system maintains a pool of ready steps for each worfklow instance. We say a 
step is ready in a workflow instance if all its immediate predecessor steps have been executed. 
The workflow system may allocate ready steps to users; alternatively users may select steps to 
perform from the pool. In both cases, the system must ensure both that the user is authorized 
and that allowing the user to perform the step does not prevent the remaining steps in the 
workflow instance from completing. 

For systems that create tasklists, it is sufficient to know that the workflow specification 
is satisfiable. Thus, an algorithm for deciding WSP is an important static analysis tool for 
such systems. However, such an algorithm will only need to be executed when the workflow 
specification is created or when it changes. The fact that the problem is NP-hard means that it 
is important to find as efficient an algorithm as possible. 

For other systems, however, the algorithm will need to be run repeatedly: every time a 
user is allocated to a step. Note that the decision whether to allow a user to execute a step 
in a partially completed workflow instance can be determined by solving an instance of WSP. 
Specifically, suppose W = ((S, E),U, A,C) is a workflow specification, some subset S' of steps 
have been performed in some instance of W , and the system needs to decide whether to allow 
u' to perform s' . Thus we have a partial plan 7r : S' — > U. We then construct a new workflow 
instance W' = ((S, E), U, A 1 , C), where (s, u) <E A' if and only if one of the following conditions 
holds: (i) s e S' and u — ir(s) (ii) s — s' and u = v! (iii) s £ S"U{s'} and (u, s) G A. Clearly, the 
workflow instance is satisfiable (when u' performs s') if and only if W' is satisfiable. Assuming 
that these checks should incur as little delay as possible, particularly in the case when users 
select steps in real time [17] . it becomes even more important to find an algorithm that can 
decide WSP as efficiently as possible. 

The definition of workflow satisfiability given above assumes that the set of users and the 
authorization relation are given. This notion of satisfiability is appropriate when the workflow 
schema is designed "in-house" . A number of large information technology companies develop 
business process systems which are then configured by the end users of those systems. Part of 
that configuration includes the assignment of users to steps in workflow schemas. The developer 
of such a schema may wish to be assured that the schema is satisfiable for some set of users 
and some authorization relation, since the schema is of no practical use if no such user set and 
authorization relation exist. The desired assurance can be provided by solving an instance of 
WSP in which there are k users, each of which is authorized for all steps. The developer may 
also determine the minimum number of users required for a workflow schema to be satisfiable. 
The minimum number must be between 1 and k and, using a binary search, can be determined 
by examining [log 2 k] instances of WSP. 
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2.3 Parameterized Complexity 

A naive approach to solving WSP would consider every possible assignment of users to steps in 
the workflow. There are n k such assignments if there are n users and k steps, so an algorithm of 
this form would have complexity 0(cn k ), where c is the number of constraints. Moreover, Wang 
and Li showed that WSP is NP-hard, by reducing Graph /c-Colorability to WSP(^) [HJ 
Lemma 3]. In short, WSP is hard to solve in general. The importance of finding an efficient 
algorithm for solving WSP led Wang and Li to look at the problem from the perspective of 
parameterized complexity [21] . 

Suppose we have an algorithm that solves an NP-hard problem in time 0(f(k)n d ), where n 
denotes the size of the input to the problem, k is some (small) parameter of the problem, / is some 
function in k only, and d is some constant (independent of k and n). Then we say the algorithm is 
a fixed-parameter tractable (FPT) algorithm. If a problem can be solved using an FPT algorithm 
then we say that it is an FPT problem and that it belongs to the class FPT P~51 [T5] . 

Wang and Li showed, using an elementary argument, that WSP2(^) is FPT and can be 
solved in time 0(k k+1 N), where N is the size of the entire input to the problem [2TJ Lemma 
8]. They also showed that WSP2(^,=) is FPT [2U Theorem 9], using a rather more complex 
approach: specifically, they constructed an algorithm that runs in time 0(k k+1 (k - l) k2 ' N); 
it follows that WSP2(=, ^) is FPT. One of the contributions of this paper is to describe a new 
method for solving WSPa(=, ^) (that can also be used to solve WSP2(=, ^)), thus generalizing 
Wang and Li's result. 

3 Solving WSP Using Constraint Expressions 

In this section, we show how to extend the elementary methods used by Wang and Li to obtain 
results for WSP2(=, ^f) and WSPa(=, ^f). Informally, our results make use of two observations: 

• A construction used by Crampton et al. |llj can be used to transform an instance of 
WSPi(=, t^) into an equivalent instance of WSPi(^) in time polynomial in the numbers 
of constraints, steps and users. 

• We can transform an instance of WSP;(=, ^) into multiple instances of WSPi(=, the 
number of instances being dependent only on the number of steps. 

We use constraint expressions [16] to represent workflow constraints and to reason about multiple 
constraints and the relationships between different types of constraints. 

3.1 Reducing WSPi(=, ^) to WSPi(^) 

The basic idea is to merge all steps that are related by constraints of the form (=, S\,S2) 
for si,S2 £ S. More formally, consider an instance I of WSPi(=,^), given by a workflow 
((S,E),U,A,C). 

(1) Construct a graph H with vertices S, in which s',s" £ S are adjacent if C includes a 
constraint (=, s',s"). 

(2) If there is a connected component of H that contains both s' and s" and C contains a 
constraint (^, s', s") then I is unsatisfiable, so we may assume there is no such connected 
component. 

(3) For each connected component T of H, 
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(a) replace all steps of T in S by a "superstep" t; 

(b) for each superstep t, authorize user u for t if and only if u was authorized (by A) for all 
steps in t 

(c) for each such superstep t, merge all constraints for steps in t. 

Clearly, we now have an instance of WSPi(^), perhaps with fewer steps and a modified autho- 
rization relation, that is satisfiable if and only if X is satisfiable. For ease of reference, we will 
refer to the procedure described above as the WSP\ constraint reduction method. The reduction 
can be performed in time 0(kc + kn) 1 where c is the number of constraints: step (1) takes time 
0(k + c); step (3) performs at most k merges; each merge takes 0{k + c + n) time (since we 
need to merge vertices, and update constraints and the authorization relation for the new vertex 
sct)H finally, if k ^ c we have 0(k(k + c + n) — 0(k(c + n)), and if c ^ k then we perform no 
more than c merges in time 0(c(k + c + n)) = 0(ck + cn) = 0(ck + kn). 

3.2 Constraint Expressions 

To understand the intuition behind our approach, consider a workflow 
W = ((S, E), U, A, {(p, S', S")}), which defines an instance of WSP 3 (p). By definition, a plan tt 
satisfies the constraint (p, 5", S") if there exist s' G S" and s" € S" such that (7r(s'), 7r(s")) G p. 
In other words, we could decide the satisfiability of W by considering the satisfiability of multiple 
instances of WSPi: specifically, for each pair (s', s") G S' x S", we consider the satisfiability of 
the workflow ((S, E) 1 U, A, {(p, s', s")}); if any one of these instances is satisfiable, then so is W. 
On the other hand, a plan satisfies a workflow W — ((S, E), U, A, {71, 72}), for constraints 71 
and 72, if and only it satisfies workflows ((S, E), [/, A, {71}) and ((S, E), U, A, {72})- 
More formally, given a set of steps S 7 we define a constraint expression recursively: 

• (p, si,S2) is a (primitive) constraint expression; 

• if 7 and 7' are constraint expressions, then 7 A 7' and 7 V 7' are constraint expressions. 
A plan 7r satisfies constraint expression: 

• 7 A 7' if and only if 7r satisfies 7 and 7'; and 

• 7 V 7' if and only if it satisfies 7 or 7'. 

3.3 Reducing WSP(pi, . . . p t ) to WSPi(pi, . . . , pt) 

We now express workflow specifications using constraint expressions, rather than sets of con- 
straints. A constraint (p, S', S"), p G {p±, . . . , pt}, is equivalent to a constraint expression 
Vs'es' s »gs"(A s 'i s ")i so every constraint can be written as the disjunction of primitive con- 
straints. Moreover, the set of constraints {T±, . . . ,T C }, where each Ti is a disjunction of primitive 
constraint expressions, is equivalent to the constraint expression F± A ■ • ■ AT C . 

In other words, we can reduce the problem of determining the satisfiability of ((5, E), U, A, C) 
to the problem of determining the satisfiability of a workflow of the form 

((S, E),U 1 A,T 1 A---AT C ), 

where c = |C|; each clause Ti = (p, S^, S'/) has the form 7^1 V • ■ • V~fi jm (i) , with m(i) = IS^'I • \S"\; 
and each literal 7^ has the form (p,s',s") for some s' G S' L and s" G S". In other words, 

3 We can check step (2) when we merge constraints in step 3(c). 
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we can represent any instance of WSPs(=, 7^) as a workflow containing a constraint expression 
in "conjunctive normal form" in which each of the "literals" is a primitive constraint (which 
corresponds to a single Type 1 constraint). Moreover, each literal is positive. 

3.4 Solving WSP(=,^) 

Given a constraint expression Ti A • • • A T Cl it is easy to see that if we can find a plan ir for 
some constraint expression of the form 71 A • • ■ A 7 C , with 7$ e I\, then tt is a plan for C. This 
is because such a plan satisfies at least one literal in each clause thereby causing each Ti to 
be satisfied; and C is satisfied if each clause is satisfied. Conversely, if n is a plan for C then it 
is a plan for Ti A • • • A T c and there exists a workflow expression of the form 71 A • • • A -f c for 
which 7r is a plan. In other words, tt is a plan for C if and only if it is a plan for 71 A • • • A 7 C 
for some 73 G Ti, where 7$ is a Type 1 constraint and 71 A • • • A j c represents the constraint 
set {71, . . . , 7c}. We call 71 A • • • A j c a simple constraint expression. That is, we have reduced 
the satisfiability of an instance of WSP3(=,^) to determining the satisfiability of one or more 
instances of WSPi(=, 7^). The number of instances is equal to Jli=i I^L where |r,| denotes the 
number of literals (primitive constraint expressions) in r, . Our strategy for solving an instance 
of WSPs(=, 7^), therefore, is to try to determine the satisfiability of these related instances of 
WSPi(=,#. 

Theorem 5. WSP2(=,^) and WSPa(=, 7^) can be decided in time 

0((k-l) c (c(k-l) k + kn)) and o(fc 2c (c(fc - l) fc + fcn)) , 
respectively, where c is the number of constraints in the workflow instance. 

Proof. We first consider an instance of WSPi(=, 7^), to which we apply the WSPi constraint 
reduction to obtain an instance of WSPi(^). As any step with at least k authorized users can 
be assigned a user that has not been assigned to any other step, we may focus on the allocation 
of users to steps having fewer than k authorized users. 

We consider each possible plan in turn and for each plan we check whether every constraint 
is satisfied. There are no more than (fc — l) k plans to check — since each of the steps has at 
most fc — 1 authorized users and there are no more than k steps — and each constraint contains 
two steps, so the time taken to solve WSPi(^) is 0(c(k — l) k ) and the time taken to solve 
WSPi(A =) is 0(c(k - l) k + kn). 

Now suppose we are given an instance of WSP(=, 7^). Then we can determine its satisfiability 
by considering the satisfiability of multiple instances of WSPi(=, 7^), each instance containing 
c constraints. We now determine the number of instances of WSPi(=,^) that need to be 
considered in the worst case. 

For a Type 2 constraint (p,s,S'), we may assume that s S': for (=, s, S'), if s 6 S", then 
the constraint is satisfied by every plan and the constraint is redundant; for (7^, s, S'), if s e S' , 
then the constraint is equivalent to (7^, s, S' \ {s}). Hence, each Type 2 constraint (p, s, S') gives 
rise to \S'\ literals in a clause with \S'\ < k. So we have c clauses, each of which contains no 
more than fc — 1 literals. 

Type 1 constraints are equivalent to clauses with a single literal. Hence, for an instance of 
WSP2(=, 7^) there are no more than (fc — l) c simple constraint expressions and so there are no 
more than (fc — l) c instances of WSPi(=, 7^) to check, which can be done in time 0((k — l) c (c(fc — 
l) k + kn + fcc)) = 0((fc - l) c (c(fc - l) fe + kn)). 

Each Type 3 constraint (p,S',S") yields a clause containing fewer than |S"| • \S"\ ^ fc 2 
literals (which is greater than the number of clauses that can be obtained from a Type 1 or 
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Type 2 constraint). Hence, there are no more than 0(k 2c ) simple constraint expressions and 
WSP 3 (/, =) can be decided in time 0(k 2c (c{k - l) fc + kn + fee)) = (k 2c {c{k - l) fe + kn)). □ 

Corollary 6. WSP 2 (=,^) and WSP 3 (=,^) are FPT. 

3.5 Kernelization of WSP 

Formally, a parameterized problem P can be represented as a relation P C S* x N over a finite 
alphabet E. The second component is call the parameter of the problem. In particular, WSP 
is a parameterized problem with parameter k, the number of steps. We denote the size of a 
problem instance [X, k) by \X\ + k. 

Definition 7. Given a parameterized problem P , a kernelization of P is an algorithm that maps 
an instance (X, k) to an instance (X' , k') in time polynomial in \X\ + k such that (i) (X, k) G P if 
and only if (I' , k') G P, and (ii) k! + \X'\ ^ g(k) for some function g; (X' , k') is the kernel and 
g is the size of the kernel. If g(k) = k ^, then we say (I',k') is a polynomial-size kernel. 

A kernelization provides a form of preprocessing aimed at compressing the given instance of 
the problem. Polynomial-size kernels are particularly useful in practice as they often allow us to 
reduce the size of the input of the problem under consideration to an equivalent problem with 
an input of significantly smaller size. 

Crampton et al. recently established that WSPi(=,^) has a polynomial-size kernel [TTJ §6]. 
In the case of WSPi(=, ^), we can reduce the problem to one containing at most k users [TTJ 
Theorem 6.5]. Crampton el al. also showed that WSP2(=,^) (and hence WSP 3 (=,^)) does 
not have a polynomial-size kernel, so there is no efficient preprocessing step for such instances of 
WSP. However, our results in this paper show we can reduce an instance of WSP(=, ^) to at 
most k 2c instances of WSPi(^) and then solve each instance by first computing a (polynomial- 
size) kernel. The proof of Corollary [5] asserts that c ^ 4 fc , although we would expect c to be 
linear or quadratic in the number of steps in practice. This approach is similar to those that use 
so-called Turing kernels (see |19) . for example). 

3.6 Negative Constraint Expressions 

We could extend the syntax for constraint expressions to include negation. In other words, if 7 
is a constraint expression, then -17 is a constraint expression. A plan 7r satisfies -17 if and only 
if 7r violates 7. A plan n satisfies the constraint ->(—, Si, S2), for example, if and only for all 
Si G Si, (n(si), 7r(s2)) G" A; that is, if and only if for all Si G Si, n(si) ^ 7r(s2)0 Thus, we can 
encode any instance of WSP(=, 7^) using only constraints of the form (=, si, S2) if we allow the 
use of negation. Note, however, this means that the method for solving WSP(=,/) described 
in Section [3.41 no longer works, because we may have negative literals in our conjunctive normal 
form expressions. 

However, we can determine the satisfiability of the constraint expression using any SAT solver. 
A satisfying assignment returned by the SAT solver provides a "template" for a valid plan: if 
the variable (=, si, S2) is set to true, then our plan must assign the same user to s\ and S2- This 
induces a partition of the set of steps into blocks, each of which must be executed by a different 
user. Hence, each satisfying assignment of the constraint expression gives rise to an instance 
of WSPi(t^) in which each "step" is a block of steps in the original problem instance. We can 

4 This constraint is similar to the separation of duty constraints described by Basin et al. [7] and the universal 
constraints described by Wang and Li 1211 . Of course, we can represent this constraint as the set of Type 1 
constraints {(^, s\, S2) ■ s± £ 5i,S2 £ ^2}. 
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solve this instance in time 0((Z\(b — l) b ), where b ^ k is the number of blocks, since there are 
at most constraints of the form (=, s\, s 2 ). If b is small relative to k, then this may prove to 
be a very efficient way of solving the original instance of WSP(=, 7^). However, we may need to 
consider 2^ satisfying assignments. In future work we hope to explore whether the additional 
expressive power of negative constraint expressions allows us to encode business rules of practical 
relevance. Further experimental work, investigating which strategies for solving WSP work best 
in practice, is required. 

4 Conditional Workflows 

In some situations, we may wish to have conditional branching in a workflow specification, some- 
times known as OR-forks [20] or exclusive gateways [22) . In our workflow system for purchase 
order processing, for example, we may require that only orders with a value exceeding some 
threshold amount need to be signed for twice. Informally, we can represent this extended specifi- 
cation by the diagram shown in Figure [3J where S3 represents a step for signing a goods received 
note on low-valued items. The nodes containing || and © are "orchestration" steps (or "gate- 
ways") at which no processing is performed: © indicates that exactly one of the two branches is 
executed, while || denotes that both branches must be executed. 



A'3 




«4 



Figure 2: A workflow specification with conditional step execution 



4.1 Workflow Composition 

We now introduce a simple language for defining workflows. This language enables us to extend 
the definition of WSP to workflows containing OR-forks, but not to arbitrary workflow patterns. 

We assume every workflow specification includes a start step and a finish step, which we will 
denote by a and lj, respectively, with subscripts where appropriate. These steps are orchestration 
steps: no processing is performed by these steps and no constraints are applied to their execution; 
they are used by the workflow management system solely to manage the initiation and completion 
of workflow instances. Given two workflow specifications W\ = {S\,E\) and W 2 = {S 2 ,E 2 ), we 
may construct new workflow specifications using serial, parallel and xor composition, denoted 
by Wi ; W 2 , Wi \\ W 2 and Wi © W 2l respectively. We assume throughout that Si l~l S 2 = 0. (If 
this were not the case with s G S\ H S 2 , we could simply introduce subscripts or new labels to 
distinguish the two copies of s.) 

For serial composition, all the steps in W\ must be completed before the steps in W 2 . Hence, 
the graph of W\ ; W 2 is formed by taking the union of S\ and S 2 , the union of E\ and E 2l and 
the addition of a single edge between u?i and a 2 . 
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For parallel composition, the execution of the steps in W\ and W2 may be interleaved. Hence, 
the graph of W\ \\ W% is formed by taking the union of Si and S2, the union of Ei and E 2 , the 
addition of new start and finish steps a par and w par , and the addition of edges from a par to 
oli and Oi2 and from uii and L02 to w par . This form of composition is sometimes known as an 
AND-fork [20] or a parallel gateway [22] Fl 

In both serial and parallel composition, all steps in Wi and W% are executed. In xor com- 
position, either the steps in Wi are executed or the steps in W2, but not both. In other words, 
xor composition represents non-deterministic choice in a workflow specification. The graph of 
Wi © W2 is formed by taking the union of Si and S2, the union of Ei and E 2 , the addition of 
new start and finish steps a xor and w xor , and the addition of edges from a xor to ai and ct2 and 
from uii and u>2 to w xor . 

Henceforth, we will assume that wi followed by ct2 will be merged to form a single (orchestra- 
tion) node e. Similarly, we will assume that (i) a par followed by ai and ct2 in serial composition 
will be merged to form a single node a par ; (ii) oj par followed by w± and u>2 will be merged to form 
a single node w par ; (iii) a xor followed by ai and «2 will be merged to form a single node a xor ; 
(iv) uj xoi followed by u)i and u>2 will be merged to form a single node w xor . 

Serial and parallel composition are illustrated in Figure [3] The structure of xor composition 
is identical to that for parallel composition so it is not shown. 



Wi 




ai > Wi > e > W 2 > "2 W 2 

(a) Serial (b) Parallel 

Figure 3: Workflow composition 



4.2 Execution Sets 

When we have conditional branching in a workflow, there exists more than one set of steps that 
could comprise a complete workflow instance. Formally, an execution set is defined recursively: 

• for a workflow specification comprising a single step s, there is a single execution set {s}; 

• if Wi and Wi are workflow specifications and Si and S2 are execution sets for Wi and W2, 
respectively, then 

— Si U S2 is an execution set for Wi ; W 2 , 

— Si U S2 is an execution set for W\ \\ W2, 

— Si and S2 are execution sets for W\ © W2. 

5 The workflows that arise from serial and parallel composition have a lot in common with series-parallel graphs; 
see [5], for example, for further details. 
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In our running example, both {si, S2, S3, S4, S5, Se} and {si, S2, s 3 , S4, s@} represent possible ex- 
ecution sets, with the second set representing a workflow instance in which the value of goods 
ordered is lower than the threshold requiring the GRN to be countersigned [f] 

4.3 Workflow Formulas and Trees 

Clearly, each workflow step represents a workflow specification, in fact the simplest possible 
specification. Hence, we may represent the example workflow specification in Figure [2] as the 
workflow formula 

(si ; s 2 ) ; (((s 3 ; s 5 ) © s' 3 ) || s 4 ) ; s 6 . 

Thus, we may also represent the workflow specification as a workflow tree, as illustrated in 
Figure |H 




S6 



Si S 2 © S 4 




S3 s 5 



Figure 4: A workflow tree 

The number of different possible execution sets is determined by the structure of the workflow 
formula. Specifically, let §(W) denote the number of possible execution sets for workflow W . For 
a workflow W comprising a single step, we have (j(W) = 1. In general, we have 

tt(Wi ; W 2 ) = tf(Wi || T^ 2 ) = (t(Wi) • $(W 2 ) 

where • denotes multiplication. 

Using a post-order traversal of the workflow tree, we can compute the number of possible 
execution sets: we assign the value 1 to each leaf node; we compute the number of possible 
execution sets for each non-leaf node using the values assigned to its children and the appropriate 
formula for the operation associated with the node. The root node in the tree depicted in Figure^ 
is assigned the value 2, for example. 

We write \>(W) to denote the maximum number of steps in any possible execution set for a 
workflow specification W. Then 

\>(W 1 ; W 2 ) = \>{Wi || W 2 ) = \>{Wx) + b(Wa) 
b(Wi © W 2 ) = max{b(Wi),b(W2)}. 

6 The concept of an execution set is related to, but simpler than, the concept of an execution history [7]: for 
any execution set {si , . . . , s m }, an execution history is a set {(si , u±), . . . , (s m , u m )} for some users u\ , . . . , u m . 
An execution history also has some similarity to our concept of a plan. 
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Clearly, we can compute b(W) from the workflow tree associated with W using a similar algorithm 
to the one described above for calculating (t(W^). 

4.4 Constraints in Conditional Workflows 

Let W\ and W 2 be two workflow specifications with constraints C\ and C 2 , respectively. When 
we form W\ ; W2 or W\ \\ W 2 , we include all constraints in C\ and C 2 . In addition, we may create 
new constraints, governing the execution of some steps in S\ and some steps in However, 
we prohibit the addition of constraints in which all the steps are contained in either S\ or S2 
(the assumption being that they would have been created earlier, if required). In other words, 
any constraint that is added when we form W\ ; W2 (or W\ || W2) has the form (p, S' , S"), where 
S'US" 2 Si and S' U S" % S 2 . 

In contrast, since xor composition requires that we either perform the steps in Si or those in 
S 2 , any constraint that includes steps from both Si and S 2 serves no purpose. Hence, we assume 
that we add no constraints when we form W\ © W 2 ■ 

4.5 Derived Deterministic Workflows 

We say a workflow specification is deterministic if it has a single execution set (and non- 
deterministic otherwise). Each possible execution set in a non-deterministic workflow speci- 
fication gives rise to a different, deterministic workflow specification. In particular, given a 
workflow specification W = (S,E) with execution sets {Si, . . . , S m }, we define Wi = (Si,Ei), 
where 

Ei d = (Si x Si) n E. 

Then Wi is a (derived) deterministic workflow specification. 

For a constrained workflow specification W = ((S,E),A,C) with possible execution sets 
{Si, S m }, we define Wi = (Si, E i} A it d), where 

Ai = (Si xU)nA, 
and, for each 7 = (p, Si,S 2 ) G C such that Si n Si ^ and S 2 n Si ^ 0, 

% = (p, SinS i) s 2 ns i )GC i , 

Each Wi is a deterministic, constrained workflow specification. Notice that when we form 7^, Si l~l 
Si ^ and S2l~lSi ^ 0: this follows by a simple induction on the structure of the workflow formula 
and the assumptions we make about the addition of constraints when we compose workflows (as 
described in Section PO]) . 

Hence, we may model any non-deterministic workflow specification as a collection of deter- 
ministic workflow specifications. We may define the notion of weakly satisfiable and strongly 
satisfiable for a non-deterministic specification: the former holds if there exists a derived, de- 
terministic workflow specification that is satisfiable; the latter holds if all derived, deterministic 
workflow specifications are satisfiable. In practice, it is likely that a workflow specification should 
be strongly satisfiable (otherwise there exist execution paths that can never complete). 

Proposition 8. Let W be an instance of WSPi(=,=/=). Then we can determine whether W is 
weakly or strongly satisfiable in time 0($(W)(\)(W) — l)^^). 

Note that we can extend this result to WSPa(=, 7^) as described in the proof of Theorem [S] 
(that is, using the reduction to multiple instances of WSPi(=, 7^), where the number of instances 
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is 0(b(W) 2 )). The above result asserts that the complexity of checking whether a workflow is 
strongly satisfiable is determined by \>{W) and (t(W). Crude upper bounds for these parameters 
are k and 2 k , both functions of k only. Thus, determining whether a conditional workflow is 
strongly satisfiable is FPT. 

Of course, these bounds can be improved: the upper bound for b(W) is only attained if no 
xor composition is used, in which case §(W) — 1; conversely, introducing xor composition may 
reduce the maximum length, and using only xor composition reduces the number of derived 
specifications to k. The question is: What deployment of k — 1 composition operators for k steps 
yields the worst-case complexity? We have the following result. 

Theorem 9. Given k workflow steps, a workflow has no more than: 

• 3 fc execution sets if k — 3k' ; 

• 4 ■ 3 fc _1 execution sets if k = 3k' + 1; and 

• 2 • 3 fe execution sets if k = 3k' + 2. 

Remark 10. The proof of the above result (see appendix) is constructive, in the sense that it 
tells us how to maximize the number of execution sets for a fixed set of k steps. Given k steps, 
we obtain a workflow with the greatest possible number of execution sets by taking the serial ( or 
parallel) composition of sub-workflows ©2 and ©3, where ©j denotes the xor composition of i 
steps. More specifically, ifk — 3a, we take the serial composition of a copies of ©3; if k = 3a+l, 
we take the serial composition of a — 1 copies of ©3 and two copies of ©2; and if k = 3a + 2, we 
take the serial composition of a copies o/©3 and one copy of ®%- We may conclude that \>(W) 
for such a workflow is no greater than \k/3i] . 

Remark 11. Note that using xor composition reduces b(W). And note that the exponential term 
in the complexity of solving WSPi{=,^) is determined by the number of steps in the workflow, 
for which an upper bound is \>{W) in the case of non- deterministic workflow specifications. For 
a fixed k, it follows from Theorem^ that the worst-case complexity for WSP\{—, 7^) occurs for a 
workflow specification with a single execution set (of k steps). 

5 Further Applications 

In this section, we study two problems from the literature and establish that they are fixed- 
parameter tractable. In both cases, we represent the problem as a workflow satisfiability problem 
using constraint expressions. 

5.1 Ordered WSP 

We note that the version of WSP considered so far in this paper makes no use of the order 
relation on the set of steps. This is a simplification introduced by Wang and Li [5T]. In fact, the 
definition of workflow constraints by Crampton [TU] prohibited constraints of the form (p, s, s') 
for s > s'. Moreover, a plan was required to specify an execution order for the steps in the 
workflow (in addition to the assignment of steps to users). This, in turn, means that Crampton's 
definition of constraint satisfaction (and hence of the workflow satisfiability problem) is more 
complex. More formally, we have the following definitions. 

Definition 12. Let W = ((S, E), U, A, C) be a workflow comprising k steps. A tuple (si, . . . , Sk) 
is an execution schedule for W if {si, . . . , Sk} = S and, for all 1 ^ i < j ^ k, ^ Sj0 We say 
Si precedes Sj in an execution schedule if i < j. 

7 In other words, an execution schedule is a linear extension or topological sort of (S, Sj). 
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For the workflow depicted in Figure [TJ (s2, si, ■ • ■ ) is not an execution schedule, for example, 
but (si, 82,83,85,84, sb) and (sx, s 2 , s 3 , S4, s 5 , s 6 ) are. 

Definition 13. XTie (Type 1 j constraint (p, s, s ) is satisfied &?/ execution schedule a and plan tt 
if one of the following holds: (i) s precedes s' in er and (tt(s), tt(s')) G p; (mJ s' precedes s in a. 

The intuition here is that a constraint (p, s, s') is well- formed only if s could precede s' in 
the execution of some instance of the workflow (that is, either s < s' or s || s'). Moreover, if 
s does occur before s', then the execution of s' is constrained by p and the identity of the user 
that performed s. A modified version of WSP, based on the above definitions, is defined in the 
following way. 

Ordered WSP (OWSP) 

Input: A constrained workflow authorization schema {{S, E), U, A, C). 
Output: True if there exists an execution schedule a and a plan tt that satisfy all 
constraints in C, and False otherwise. 



Note that it may not be possible to find a valid plan tt for a particular execution schedule 
a. Conversely, there may be a plan tt for which there exist schedules a and a' such that (a, tt) 
satisfies all constraints but {a 1 ,tt) does not. Consider, for example, a plan tt that is valid for our 
purchase order workflow such that 7r(s3) = 7r(s4). If we add the constraint (7^, S3, S4), then tt is 
valid for any execution schedule in which S4 precedes S3 and invalid otherwise. 

The above example also shows there exist workflows for which a plan tt is not a solution 
to WSP, but for which (a, tt) is a solution to OWSP for certain choices of er. Crampton 
introduced the notion of a well-formed workflow, which has the following property: for all Si \\ Sj, 
(p, Si,sj) E C if and only if (p, Sj, Si) £ C, where p is defined to be {(u, u') 6 U x U : (u' , u) 6 p}. 
To ensure that the workflow in the above example is well-formed, we would add the constraint 
(7^, S4, S3) to C . It is easy to see that OWSP for well-formed workflows and WSP are essentially 
equivalent, since a valid plan for one execution schedule will be a valid plan for any execution 
schedule QUI Lemma 9]. 

Nevertheless, there will be business processes that cannot be represented using a well-formed 
workflow schema. In the purchase order example illustrated in Figure [I] for example, it would 
be quite reasonable to impose constraints on S3 and S4 that would mean the resulting workflow 
schema was not well-formed. Suppose, for example, that ~ is an equivalence relation on U , where 
u ~ v! if and only if u and u' belong to the same department. Then the constraints (^, S3, S4) 
and (7^, S4, S3) require that if S3 (the sign CRN step) is performed before S4 (the create payment 
step), then the user that performs S4 must be in a different department from the user that 
performs S3; whereas if the steps are performed in the reverse order, we only require the users to 
be different (since the more commercially sensitive step has been performed first in this case). 

Note that OWSP is only defined for Type 1 constraints (see Definition IT51) . Wang and 
Li showed that WSP is W[l]-hard [13] for arbitrary constraint relations (even if only Type 1 
constraints) are used [3T]. Moreover, any instance of WSP defines an instance of OWSP. Thus, 
OWSP is W[l]-hard. However, there is a strong connection between WSP and OWSP. 

Proposition 14. OWSPx(px,. ..,p t ) is FPT if WSPx(px,. ..,p t ) is. 

A stronger notion of satisfiability for OWSP would require that there exists a plan for every 
execution schedule (as for conditional workflows). In this case, we simply require that every one 
of the 0(k\) derived instances of WSP is satisfiable. The worst-case complexity of determining 
"weak" and "strong" satisfiability for OWSP is, therefore, the same. Note that an instance of 
WSP is satisfiable if the corresponding instance of OWSP is strongly satisfiable. 
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5.2 Identifying Constraint Violation 

Consider the following problem: Given a constrained workflow specification ((S, E),U, A,C), 
does there exist a plan a such that (s,a(s)) G A for all s 6 S and at least one constraint C that 
is not satisfied? This question is of interest because if we know that no such plan exists, then we 
do not need a reference monitor: any allocation of (authorized) users to steps will satisfy all the 
constraints. This question has been studied by Armando and colleagues 2, 4 and solutions have 
been computed using model checkers. We answer this question by examining the satisfiability of 
the "negation" of the problem, rewritten using the language of constraint expressions. 

Theorem 15. Determining whether there exists a plan that violates a workflow specification 
((S, E),U, A,C), where all constraints have the form (=,S\, S2) or Si, Si), is FPT. 

The approach described above can also be used to "prune" a workflow specification. Given 
a workflow specification ((S, E), U, A, C), we can identify, with the same (worst-case) time com- 
plexity, all constraints in C that can be violated. This enables us to remove any constraints that 
cannot be violated, leaving a workflow specification ((S, E, U, A, C), with C C C. In Section [2~2l 
we identified situations in which we may be required to solve WSP for a workflow specification 
multiple times. Thus, reducing the set of constraints will reduce the complexity of subsequent 
attempts to determine the satisfiability of the workflow specification. 

6 Concluding Remarks 

In this paper, we have explored the use of constraint expressions as a means of translating 
different versions of the workflow satisfiability problem into one or more instances of WSPi(^). 
Constraint expressions provide a uniform way of representing the workflow satisfiability problem 
and related problems, such as WSP for conditional workflows (Section @|, ordered WSP and 
the identification of constraints that can be violated (Section [5]). This, in turn, enables us 
to establish the complexity of solving these problems. We also believe our characterization of 
workflow composition, the representation of workflows as trees, and execution sets may be useful 
modeling tools for future research on authorization in workflow systems. 

6.1 Related Work 

Work on computing plans for workflows that must simultaneously satisfy authorization policies 
and constraints goes back to the seminal paper of Bertino et al. 8 . This work considered 
linear workflows and noted the existence of an exponential algorithm for computing valid plans. 
Crampton extended the model for workflows to partially ordered sets (equivalently, directed 
acyclic graphs) and to directed acyclic graphs with loops [TU]. Wang and Li further extended 
this model to include Type 2 constraints [2Tj . 

Wang and Li first investigated the computational complexity and, significantly, the existence 
of fixed-parameter tractable algorithms for the workflow satisfiability problem |21| . One or their 
main results [21] Theorem 9] is very similar to the result we prove for WSP2(=, 7^) (Thcorcm[5|), 
although our approach is more direct and generalizes to WSPs(=, ^). Crampton et al. introduced 
a new method for solving the problem |12j . which yields significantly better complexity bounds 
for WSP3(=,t^). However, their methods only apply for certain kinds of constraints; indeed, it 
is not clear whether their approach extends to relations other than A, A c and constraints using 
equivalence relations defined on the user set. 

The use of constraint expressions to represent and reason about the complexity of the work- 
flow satisfiability problem appears, therefore, to have some significant advantages, one specific 
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advantage being its versatility, over existing approaches. Khan and Fong introduced the notion 
of a constraint expression to reason about the problem of workflow feasibility |16j . which asks: 
Given a set of constraints and restrictions on admissible authorization policies, does there exist 
an authorization policy from which we can construct a valid plan? Their work was undertaken 
in the context of the relationship-based access control model [13], in which the "shape" of au- 
thorization policies is restricted, and does not explore fully the possibility of using constraints 
expressions to solve the "classical" workflow satisfiability problem. 

It is widely accepted that it is useful to have conditional branching in workflow specifica- 
tions |201 [22] . However, there is very little prior work on the workflow satisfiability problem, 
or its complexity, for conditional workflows. Khan's master's thesis includes work on existential 
satisfiability (what we have called weak satisfiability) and universal (strong) satisfiability [1 51 
Chapter 8] but does not consider fixed parameter tractability. 

6.2 Future Work 

There are a number of opportunities for future work. Crampton et al. studied the workflow 
satisfiability problem in the presence of constraints specified using an equivalence relation ~ 
defined on U [12) . The relation A may be viewed as an equivalence relation, in which each 
equivalence class is a single user. We would like to investigate whether our methods can be 
extended to solve WSP(=, j^, ~, where ~ is not equal to A. This is a non-trivial problem 
as we cannot use our trick of considering only those steps for which there are fewer than k 
authorized users. A second problem we would like to consider is the optimal workflow- aware 
authorization administration problem, which determines whether it is possible to modify the 
authorization relation, subject to some bound on the "cost" of the changes, when the workflow 
is unsatisfiable 7 . Finally, we would like (a) to remove the restriction that (S,E) is an ayclic 
graph, so that we can model sub-workflows that can be repeated, and (b) to include inclusive 
gateways [22) . allowing for one or more sub- workflows to be executed. Both of these extensions 
can be readily modeled using execution sets (or multisets). If, for example, Si and S2 are 
execution sets for W\ and W2, respectively, then Si, S2 and Si U S2 are execution sets for 
Wi + W% , where + indicates inclusive-or composition. 
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A Proofs 



Proof of Corollary® For WSP2(=, 7^), in the worst case, each constraint has the form (p, s, S'), 
with s S'. Hence, the number of Type 2 constraints can be no greater than k2 . It now 
follows from Theorem [5] that WSP 2 (=,^) is FPT. For WSP 3 (=,^), in the worst case, each 
constraint has the form (p,S',S"). Thus, noting that (p,S',S") is equivalent for WSP3(=,^), 
the number of Type 3 constraints can be no greater than 2 k ■ 2 k — 2 2fe , from which it follows that 
WSP 3 (=,^) is FPT. □ 

Proof of Proposition ® The result follows by noting that determining strong satisfiability re- 
quires us to check whether all |(W) derived instances of W are satisfiable, while determining 
weak satisfiability requires us to check whether at least one derived instance is satisfiable. The 
complexity, in the worst case, is the same. The complexity of checking a single instance is 
[k 1 — l) k , where k! is the number of steps in the derived instance. The result now follows. □ 

Proof of Theorem® First observe that may disregard the || operator in computing an upper 
bound on jj(W). To see this, note that the parallel operator requires, like the serial operator, 
that all steps in the sub-workflows are performed. In particular, an execution set for workflow 
W\ || W 2 has the form S\ U S 2 , where Si is an execution set for workflow W{. 

Recall (Bi represents the xor composition of i steps and |J(ffij ; (Bj) = j}(ffij ; ffii) = ij. 

We proceed by induction on k. For k = 2, we may construct 

©1 ; ©1 and © 2 , 

thus the result holds for k = 2. For k — 3, we may construct three different workflows: 

©i;ffii;ffii, ©i;© 2 , and ffi 3 , 
thus the result holds for k — 3. Finally, for k = 4, we may construct 

©i;©i;ffii;©i, ©i;ffii;©2, ©1 ; ©3, ©2 ; ©2 and ffi 4 , 

thus the result holds for k = 4. 

Now consider k > 4 steps and suppose the result holds for all workflows constructed from 
k — 1 or fewer steps. Then for any split of k into workflows W\ and W2 comprising k\ and fc 2 
steps, respectively, such that k\ + k 2 = k, we may form W\ ; W2 or W\ © W2. Clearly, for k > 4, 
tt(Wi ; W 2 ) > ft(Wi © W2). Moreover, (t(Wi ; W 2 ) = %{W X ) ■ ft(Wj,). 

First consider the case k = 3a and let ki = 3a^ + bi, i = 1, 2, with 6, £ {0, 1, 2}. We assume 
(without loss of generality) that 61 ^ b 2 . If b\ = b 2 , then fci and k 2 are divisible by 3 and 
tt(Wi) < 3 Qi by the inductive hypothesis, whence 

R(W) = (((Wi) • (t(Wa) < 3 ai • 3 a2 = 3 a . 

If 61 = 1 and b 2 = 2, then we have a\ + a 2 = a — 1 and 

(t(W) = tt(Wi) • (t(W 2 ) < 4 • S" 1 " 1 • 2 • 3 a2 = 8 • 3 a ~ 2 < 3 a 

and the result holds. 

Now consider the case k = 3a + 1. If 61 = 0, then b 2 = 1 and ai + a 2 = a. Hence, by the 
inductive hypothesis, we have 

(t(W) < 3 ai ^-S 02 " 1 =4-3 Q ~ 1 , 
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as required. If b\ = 62, then we have bi = 2 and a± + 0,2 = a — 1. Hence, by the inductive 
hypothesis, we have 

$(W) 2-3 ai -2-3 a2 =4-3 a ~ 1 , 

as required. 

Finally, consider the case k = 3a + 2. If 61 = 0, then 62 = 2 and ai + a-i — a. Hence, by the 
inductive hypothesis, we have 

tt(W) < 3 ai • 2 • 3° 2 = 2 • 3 Q , 
as required. If 61 =627 then 6, = 1 and ai + a-i = a. Hence, we have 

(t(W) < 16 • 3 ai+Q2 ~ 2 = y • 3 a < 2 • 3 a . 

as required. □ 

Proof of Proposition \14\ An instance of OWSPi contains a set of constraints C and we may as- 
sume that C contains at least two constraints of the form (p i; s, s') and (pj,s', s) with p, ^ p}. (If 
no such constraints exist then OWSPi (pi, . . . , p t ) is identical to an instance of WSPi (pi, . . . , pi).) 
Observe that the number of linear extensions of (S, (and hence possible execution schedules) 
is determined only by k. Specifically, the number of linear extensions is no greater than k\. Note 
also that in any execution of the workflow, either s precedes s' or vice versa. Hence each linear 
extension allows us to discard either (pi,s,s') or (pj,s',s) (since exactly one of them will be 
irrelevant to the schedule defined by the linear extension), thus defining an instance of WSP 
that contains fewer constraints than the original problem. In other words, we may consider our 
instance of OWSPi to be the disjunction of fc! instances of WSPi. If each instance of WSPi is 
FPT, we can solve each of these instances, thus solving the original instance of OWSPi. d 

Proof of Theorem \15l A Type 1 constraint (p, s, s') is satisfied by a plan a if (oe(s), a(s')) 6 p and 
is not satisfied ("violated") otherwise. In other words, (p, s, s') is violated by a if (a(s), cc(s')) ^ p. 
Equivalently, a constraint (p, s, s') is violated iff (p, s, s') is satisfied, where 

p = {(u, u') eU xU : (u, u') p} . 

A Type 2 constraint (p, s, <S"), S' C S is violated if (p, s, s') is violated for all s' E S' . In other 
words, (p, s, S') is violated iff the constraint expression 

s'ES' 

is satisfied. Similarly, a Type 3 constraint (p, S", S") is violated iff the constraint expression 

s'£S',s"£S" 

is satisfied. Finally a set of constraints {ci, . . . , Ct} is violated if at least one Ci is violated. In 
other words, we can determine whether there exists a plan that violates a set of constraints by de- 
termining if there exists a plan a that satisfies a constraint expression in disjunctive normal form, 
where each clause is a conjunction of Type 1 constraints. We make the following observations. 

• There are no more than c disjuncts, where c is the number of constraints in the original 
workflow specification. 
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A Type 2 constraint, when rewritten in the above way, gives rise to a conjunction of no 
more than k — 1 Type 1 constraints, while a Type 3 constraint gives rise to no more than 
k 2 Type 1 constraints. 



• There can be no more than k2 k Type 2 constraints in a workflow specification and no more 
than A k Type 3 constraints. 

• A is A c and is A. 

• By Theorem the time taken to solve WSPi(A,A c ) (that is, WSPi(=,^)) is 0{c(k - 
l) k + kn), where c is the number of constraints. 

Therefore, there exists an FPT algorithm to determine whether there exists a plan tt in which 
each user is authorized and a constraint that tt does not satisfy, since we need only find a single 
disjunct that is true, and each disjunct represents a workflow specification containing only Type 

1 constraints. The time taken to solve this new problem is 0(k2 k ~ 1 ((k — l) k+1 + kn)) for Type 

2 constraints and 0(4 k (k(k - l) k+1 + kn)) for Type 3 constraints. □ 
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